Scenario
The following figure provides an example of the network configurations for connecting a data center to a VPC. The data center is located in Shanghai and the VPC is deployed in the China (Shanghai) region. The private CIDR block of the VPC is 172.16.0.0/16. The private CIDR block of the data center is 172.17.1.0/24. You want to connect a server in the data center to an ECS instance in the VPC by using an Express Connect circuit. The IP address of the on-premises server is 172.17.1.2. The IP address of the ECS instance is 172.16.0.1.
Configuration item | IP address/CIDR block |
Configuration item | IP address/CIDR block |
CIDR block of the VPC | 172.16.0.0/16 |
CIDR block of the vSwitch | 172.16.0.0/24 |
IP address of the ECS instance | 172.16.0.1 |
CIDR block of the data center | 172.17.1.0/24 |
Peer IP addresses | |
IP address of the on-premises server | 172.17.1.2 |
IP addresses used for health checks | |
Prerequisites
A VPC is created in the China (Shanghai) region and cloud resources such as ECS instances that host your business systems are deployed in the VPC. For more information, see Create a VPC with an IPv4 CIDR block.
Note
Before you connect an Enterprise Edition transit router to a VPC, make sure that the VPC has at least one vSwitch in a zone that supports Enterprise Edition transit routers. The vSwitch must have at least one idle IP address. In this example, the transit router is created in the China (Shanghai) region. Shanghai Zone F and Shanghai Zone G support Enterprise Edition transit routers.
You understand the security group rules of the Elastic Compute Service (ECS) instances in the virtual private cloud (VPC). Make sure that the rules allow the ECS instances to communicate with the data center. For more information, see View security group rules and Add a security group rule.
A Cloud Enterprise Network (CEN) instance is created. For more information, see the “Create a CEN instance” section of the CEN instances topic.
The VPC in a zone supported by the Enterprise Edition transit router has sufficient vSwitches. Each vSwitch has at least one idle IP address. For more information about how to create a vSwitch, see Create a vSwitch.
If the Enterprise Edition transit router is deployed in a region that supports only one zone, for example, China (Nanjing - Local Region), the VPC must have at least one vSwitch in the zone.
If the Enterprise Edition transit router is deployed in a region that supports multiple zones, for example, China (Shanghai), the VPC must have at least two vSwitches in the zones. The vSwitches must be in different zones.
Step 1: Create an Express Connect circuit
You can create a dedicated connection over an Express Connect circuit by applying for a dedicated Express Connect circuit in the Express Connect console. You can also use a hosted connection over a shared Express Connect circuit provided by an Express Connect partner. For more information, see Create and manage a dedicated connection over an Express Connect circuit or Overview of hosted connections.
The following table describes the configurations of the VBR that is associated with the Express Connect circuit in this example.
Configuration item | Value |
VLAN ID | 1 |
Alibaba Cloud Side IPv4 Address | 10.0.0.1 |
Data Center Side IPv4 Address | 10.0.0.2 |
IPv4 Subnet Mask | 255.255.255.252 |
Step 2: Create a VBR
Log on to the Express Connect console.
In the top navigation bar, select a region.
On the Physical Connection page, click the ID of the Express Connect circuit for which you want to create a VBR. Make sure that the Express Connect circuit is enabled.
On the details page of the Express Connect circuit, click Create VBR.
In the Create VBR panel, configure the following parameters and click OK.
Parameter | Description |
Account | The Alibaba Cloud account for which you want to create a VBR. In this example, Current Account is selected. |
Name | The name of the VBR. |
Express Connect Circuit | The Express Connect circuit to be associated with the VBR. Select Dedicated Physical Connection, and select the Express Connect circuit that you want to associate with the VBR. The Express Connect circuit must be enabled and work as expected. |
VLAN ID | The virtual local area network (VLAN) ID of the VBR. In this example, 1 is entered. |
Set VBR Bandwidth Value | The bandwidth of the VBR. In this example, 200Mb is selected. |
Alibaba Cloud Side IPv4 Address | The IPv4 address for the VBR to route network traffic between the VPC and the data center. In this example, 10.0.0.1 is entered. |
Data Center Side IPv4 Address | The IPv4 address for the gateway device in the data center to route network traffic between the data center and the VPC. In this example, 10.0.0.2 is entered. |
IPv4 Subnet Mask | The subnet mask of the IPv4 addresses that you specified for the VBR and the gateway device in the data center. In this example, 255.255.255.252 is entered. |
Step 3: Connect the transit router to the VPC and the VBR
Connect the transit router in the China (Shanghai) region to the VPC that you want to connect to the data center. Then, connect the transit router to the VBR that is associated with the Express Connect circuit. This way, the VPC and the data center can communicate with each other.
Log on to the CEN console.
On the Instances page, click the ID of the CEN instance that you want to manage.
On the tab, find the transit router that you want to manage and click Create Connection in the Actions column.
On the Connection with Peer Network Instance page, configure the following parameters and click OK.
Note
When you perform this operation for the first time, the system automatically creates a service-linked role named AliyunServiceRoleForCEN. This role allows the transit router to create an elastic network interface (ENI) in a vSwitch of the VPC. For more information, see AliyunServiceRoleForCEN.
Parameter | Description |
Instance Type | The type of network instance. In this example, VPC is selected. |
Region | The region in which the VPC is deployed. In this example, China (Shanghai) is selected. |
Transit Router | The system automatically displays the transit router in the selected region. |
Resource Owner ID | The Alibaba Cloud account to which the VPC belongs. In this example, Current Account is selected. |
Billing Method | By default, transit routers use the pay-as-you-go billing method. For more information, see Billing rules. |
Attachment Name | The name of the VPC connection. In this example, VPC-test is used. |
Network Instance | The ID of the VPC. In this example, the VPC that you created is selected. |
VSwitch | The vSwitch in a zone that supports transit routers. In this example, the vSwitch in the corresponding zone is selected. |
Advanced Settings | By default, the following advanced features are enabled: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Automatically Create Route That Points to Transit Router and Add to All Route Tables of Current VPC. In this example, the default settings are used. |
On the Connection with Peer Network Instance page, click Create More Connections.
On the Connection with Peer Network Instance page, configure the following parameters and click OK to create a connection for VBR1.
Parameter | Description |
Instance Type | The type of the network instance. In this example, Virtual Border Router (VBR) is selected. |
Region | The region in which the VBR is deployed. In this example, China (Shanghai) is selected. |
Transit Router | The system automatically displays the transit router in the selected region. |
Resource Owner ID | The Alibaba Cloud account to which the VBR belongs. In this example, Current Account is selected. |
Attachment Name | The name of the VBR connection. In this example, VBR-test is used. |
Network Instance | The ID of the VBR. In this example, VBR1 is selected. |
Advanced Settings | By default, the following advanced features are enabled: Associate with Default Route Table of Transit Router, Propagate System Routes to Default Route Table of Transit Router, and Propagate Routes to VBR. In this example, the default settings are used. |
After the connections are created, you can view the details about the connections on the Intra-region Connections tab of the VBR details page. For more information, see View network instance connections.
Step 4: Add routes to the VBR
Add a route that points to the data center and a route that points to the Express Connect circuit to the VBR. The following procedure shows how to add a route that points to the Express Connect circuit to the VBR.
Log on to the Express Connect console.
In the top navigation bar, select a region and click Virtual Border Routers (VBRs) in the left-side navigation pane.
On the Virtual Border Routers (VBRs) page, click the ID of the VBR that you want to manage.
On the details page of the VBR, click the Routes tab and click Add Route.
In the Add Route panel, configure the following parameters and click OK.
Parameter | Description |
Next Hop Type | The type of the next hop to which the route points. In this example, Physical Connection Interface is selected. |
Destination CIDR Block | The CIDR block of the data center. In this example, 172.17.1.0/24 is entered. |
Next Hop | The Express Connect circuit that serves as the next hop. In this example, the Express Connect circuit for which you have applied is selected. |
Description | The description of the route. |
Note
By default, if you ping the IP address of the VBR from an ECS instance, you cannot reach the VBR. If you want to reach the VBR, you must first add a route that points to the Express Connect circuit and set the destination CIDR block to 10.0.0.1/30.
Step 5: Configure health checks
CEN provides the health check feature to monitor the status of connections to the data center.
Log on to the CEN console.
In the left-side navigation pane, click Health Checks.
On the Health Checks page, select the region where the VBR resides. Then, click Set Health Check. In this example, China (Shanghai) is selected.
In the Set Health Check dialog box, configure the following parameters and click OK.
Parameter | Description |
Instances | The CEN instance to which the VBR is attached. |
Virtual Border Router (VBR) | The VBR that you want to monitor. In this example, VBR1 is selected. |
Source IP Address | The source IP address. You can select one of the following methods to specify the source IP address: Automatic IP Address: The system automatically assigns an IP address from the 100.96.0.0/16 CIDR block. We recommend that you select this option. Note If you select this option and an ACL policy is configured on the peer , you must modify the ACL policy to allow this CIDR block. Otherwise, the health check fails. Custom IP Address: You need to specify an idle IP address within the 10.0.0.0/8, 192.168.0.0/16, or 172.16.0.0/12 CIDR block. The specified IP address cannot be the IP address with which you want to communicate, the IP address of the VBR on the Alibaba Cloud side, or the IP address of the VBR on the user side.
|
Destination IP | The IP address of the VBR on the user side. |
Probe Interval (Seconds) | The interval at which probe packets are sent for the health check. Unit: seconds. Default value: 2. Valid values: 2 to 3. |
Probe Packets | The number of probe packets that are sent for health checks. Unit: packet. Default value: 8. Valid values: 3 to 8. |
Change Route | Specifies whether to allow the health check feature to switch to the redundant route. By default, Change Route is turned on. This indicates that the health check feature can switch to the redundant route. If a redundant route is configured on the CEN instance, the health check feature immediately switches to the redundant route if an error is detected on the Express Connect circuit. If you turn off Change Route, the health check feature does not switch to the redundant route. Only probing is performed. The health check feature does not switch to the redundant route even if an error is detected on the Express Connect circuit. Warning Before you turn off Change Route, make sure that the system can switch to a redundant route by using other mechanisms. Otherwise, network connections are interrupted if the Express Connect circuit is down. |
Note
The system sends probe packets at the specified intervals. If the number of consecutively dropped packets reaches the specified value, the health check fails.
Step 6: Configure routes on the gateway device in the data center
After you complete the previous steps, you must log on to the gateway device in the data center and configure routes that point to the VPC. You can create a static route or configure Border Gateway Protocol (BGP) routing to forward network traffic from the data center to the VBR.
Create a static route or configure BGP routing on the gateway device in the data center to route traffic to the VPC.
The following static route is used as an example.
Note
The route in this example is provided for reference only. Route configurations may vary based on the gateway device.
ip route 172.16.0.0 255.255.0.0 10.0.0.1
Configure BGP routing. For more information, see Configure and manage BGP.
The CIDR block to be advertised is the CIDR block of the VPC connected to the data center. In this example, the CIDR block of the VPC is 172.16.0.0/16.
Run the ping command to ping the IP address of the VBR from the gateway device to verify network connectivity.
Run the ping command to ping the IP address 10.0.0.1. If you can receive echo reply packets, the gateway device in the data center is connected to Alibaba Cloud over the Express Connect circuit.
Run the following command to configure the default route on a server in the data center. The route points to the gateway device in the data center.
route add default gw 172.17.1.1
Step 7: Test the connectivity of the Express Connect circuit
To test the connectivity of the Express Connect circuit, you can ping the IP address of the VBR.
Open the CLI on a server in the data center.
Run the ping command to ping the IP address 10.0.0.1, which is the IP address of the VBR.
If you can receive echo reply packets, the on-premises server is connected to Alibaba Cloud over the Express Connect circuit.
Note
If you ping the IP address of the VBR from an ECS instance, you cannot reach the VBR.
Step 8: Test the connectivity to an ECS instance
You can ping the IP address of an ECS instance to test the connectivity between Alibaba Cloud and the data center. IP addresses of ECS instances are dynamically allocated. You must ping the private IP address of an ECS instance. In this example, the private IP address of the ECS instance is 172.16.0.1.
Note
Before you ping the private IP address, make sure that the security group rules configured for the ECS instance accept network traffic from the data center. For more information, see View security group rules.
Open the CLI on a server in the data center. Run the ping command to ping the private IP address of the ECS instance.
Log on to the ECS instance and open the CLI.
Run the ping command to ping the IP address of the server in the data center. If you can reach the IP address, the server in the data center is connected to the ECS instance on Alibaba Cloud over the Express Connect circuit.
Elastic Compute Service (ECS)
Container Compute Service (ACS)
